Zoning to secure valuable resources is nothing new. The concept of creating security zones has been around for centuries. For example, countries have divided their lands into regions and applied military security protection to each region based upon the regional characteristics, value, population, and other various factors.
Security zones are also used to help protect valuable resources against acts of terrorism or other targeted violence. For example, airports mitigate their risks through the use of security zones. They divide the airport grounds, airspace, and facilities into specific zones in order to protect the critical sections of the airport from unlawful interference and to more easily manage the zone areas. Certain security controls apply within each zone. These may include actions such as establishing and maintaining barriers to protect the zoned area, restrictions on entry, and so on. Typically, an airport has an airside area and a landside area. The critical aviation operations are generally included in the airside area, where security is more tightly regulated. These zones may be established for a range of reasons, including the control of people movement, prevention of interference with aircraft, and restriction of access to critical facilities.
Using security zones in these ways not only makes management of security more effective and efficient but also helps to decrease the overall cost of security by creating scalable protection for zones based upon the risks of each zone. Organizations can learn from these practices and apply these same concepts of creating security zones to their own enterprises to protect their information and network resources more efficiently, effectively, and economically. As discussed in earlier chapters, securing only the perimeter will not provide defense against new attack methods and threats such as:
Recent surveys reveal that most customers still do not trust companies to handle their personal information responsibly. An October 2005 Ponemon Privacy Survey indicates the customer and opportunity losses associated with information breach events cost a company significantly more than the actual breach events themselves. A March 2005 Ponemon Privacy Trust Survey of more than 2300 adult Internet users in the United States reveals that customers who have a high level of trust in their banks are more likely to do online banking tasks and to remain loyal to the bank they trust. Fifty-seven percent indicated that they would stop using online services if a single privacy breach occurred.
Reflecting consumer mistrust, several governmental regulations have emerged that legislate security and build consumer trust. The laws are complex and failure to follow regulation can result in huge fines, penalties, and even prison time for offending executives. Business leaders must not only be aware of but also strive to be in compliance with the multitude of regulations that are applicable to their companies. This complexity can be made more manageable and companies can more clearly provide demonstration of due diligence by tackling the requirements in zoned chunks across the enterprise. Table 4.1 highlights a few of the regulations and high level requirements as well as the implications for zoning to make compliance with multiple regulations more manageable.
Implications of Zone Security
United States Gramm-Leach-Bliley Act
| || |
United States California Senate Bill 1386
| || |
United States Sarbanes-Oxley Act
| || |
United States SEC Rule 17a (Books and Records Rules)
| || |
Canada Personal Information Protection and Electronic Documents Act (PIPEDA)
| || |
European Union Data Protection Directive
| || |
Japan Personal Information Protection Law
| || |
United States Health Insurance Portability and Accountability Act (HIPAA)
| || |
Table 4.1: Regulations with zoning implications.
The quality of a network's security is an essential component of the security posture; it connects applications, systems, and users. The network should provide a solid first layer of defense against outside attacks, complementing operating system (OS) and application-level security. Separating the network into virtual compartments, or zones, allows security managers to consolidate resources in a cost-effective manner and control user access to each application and related information. The network then creates a secure environment not only at the perimeter but also in security zones throughout the enterprise.
Security zones can contain the spread of an attack and provide strong access controls.
The concept of network security zoning really became widely critical in the 1990s when exploding numbers of organizations began connecting to the Internet. In doing so, they realized, sometimes through brutal business-impacting results of security incidents, that security was needed between the corporate network and the wild and untamed Internet. This realization resulted in the widespread use of demilitarized zones (DMZs) at most security-conscious organizations. The DMZ protected the organization's information and network assets by connecting through them through a firewall. Basically, the network became one large security zone, and the DMZ became another, less-trusted filtering security zone, as demonstrated in Figure 4.1. The connections to business partners largely were made without any additional security applied, creating huge vulnerabilities that were by-and-large unbeknownst and/or unconsidered within the organization.
Figure 4.1: Typical early zoning with the internal network all in one zone.
As zoning has evolved, it is increasingly used for creating security defenses between departments or other logical divisions of services and products. For example, the marketing department typically has hosts and subnets with many security and access controls in common. These hosts and networks can logically be grouped into their own zone simply called Marketing.
When there is a need for exceptions or other special cases, perhaps when one or more hosts belonging to the zone needs specific or more restricted access, explicit policy rules can be created within the host or subnet level, again without compromising security. Security zones allow for easy consolidation of environments in which multiple distributed security defenses are currently used for security segmentation. This consolidation offers significant cost savings, reduced administrative burden, policy enforcement, and clearly defined trust domains—all of which are the primary drivers behind consolidation.
So why isn't network security zoning more widely embraced if it is such a good idea? The most common reason IT analysts give is that up until recently the only way to employ security zoning was with hardware—by either installing firewalls or VLANs and subnets throughout the network. These methods alone were cumbersome to manage and created a certain level of inflexibility. As the internal threats, risks, and vulnerabilities were not fully understood, they felt that as long as the perimeter was secure, the inflexibility wasn't worth the perceived gains. However, with an increasingly porous perimeter, and more knowledge and understanding of insider threats, the value of establishing internal network security zones is being recognized as valuable. There are also many new and emerging products to allow the network to be zoned from a software point of view instead of just a hardware standpoint, effectively addressing the inflexibility of the older hardware-only solutions.
Over the years, within the typical organization, the network grows and security is deployed within various departments as it is needed. This network growth often accompanies rapid company growth, disparate geographies, and numerous new technologies, usually with no combined effort to consolidate the varying security components and layers into a single enterprise strategy. Dependence on the network along with functional enhancements to the business systems increases the importance of security and dependable accessibility to information. This uncoordinated application of security whenever it is needed, without any forethought to support or management, results in extremely costly and difficult-to-manage systems with gaps in security throughout the network. Implementing network security zones can help organizations achieve their goals of scalability, availability, security, manageability, performance, supportability, and geographic distribution, while realizing savings at many levels throughout the enterprise.
Creating effective security zones throughout the enterprise will not only decrease the total cost of ownership (TCO) for the IT infrastructure by eliminating wasteful redundancies and establishing consistent standards but also has the added benefit of creating an efficient management layer of protection through thoughtful and effective network and systems segmentation.
Security zones enable organizations to:
Providing compartmentalized security throughout the enterprise through the use of security zones is a tried and true way to mitigate risks within the perimeter. Security zones proactively defend against vulnerabilities, minimizing unauthorized access, intentional and unintentional.
Consider the impact of "zero-day" malicious code attacks. "Zero day" refers to an attack, usually through a malicious code exploit, such as a worm or a virus, that makes use of previously unknown vulnerabilities. Zero-day exploits typically start attacking systems at the same time as, or even before, the public announcement of a vulnerability in a computer system. Reactive defenses, such as signature-based virus scanners and automated patching systems, are still necessary, but they are ineffective against zero-day attacks.
By using security zones, such zero-day attacks can be more successfully contained within the zone of origination, isolating the attacks and the compromised device. Confining an attack to one or a few zones allow other network security zones to continue to support business as usual.
As discussed earlier in this guide, there is great threat to information resources from insiders who have authorized access. Insiders may threaten an organization's interests by disclosing sensitive or classified information, making decisions that have a negative impact on the business, or exacting a network attack. Establishing security zones throughout the enterprise can help to contain the impact of any insider attack to only the zone within which they are located.
When considering the deployment of security zones, wise business leaders must consider how the implementation of what at the onset seems to be a huge investment, in reality will save the organization time, money, and human resources in the long run.
According to a 2005 Gartner Group study, the average downtime cost for businesses across all industries is more than $1 million per hour. In addition, according to a 2005 Wall Street Journal report, more than 83 percent of all critical data lost is due to some form of human error, 64 percent from human mistakes and 19 percent from internal sabotage within an organization.
So where can savings be realized? Measure the gains in IT staff and user productivity from deploying the solution as well as the revenue recaptured from reduced downtime, the cost savings from increased IT staff efficiency, fewer security incidents and associated response costs, and lower capital and operating expenses. The following list provides examples of ways in which network zoning will save organizations time and money resources:
Security controls must be in place to safeguard all operations of enterprise information facilities and systems. Operational security controls must ensure that risks to information integrity, availability, and confidentiality are minimized in the operational environment, in online service delivery, and in exchanging information by any means in the internal or external information environment. Zoning can enhance and improve the efficiency of security and risk reduction for these operations. The following sections provide examples of operational activities that can be enhanced by security zones.
Organizations must ensure that security controls are in place for the protection of information and systems against viruses and other malicious code. Controls must include prevention, detection, removal, and reporting of attacks of malicious code on the information environment. Incorporating zone-based virus and malicious code prevention can help improve the effectiveness of the controls and help protect zones when outbreaks occur in other zones on the network.
Organizations must develop processes to ensure the availability of information and information systems, networks, and applications in the event of failure or unforeseen loss of information.
Processes must be established that include comprehensive information backup procedures. Operator and fault logs must be implemented to monitor the integrity and availability of information, information systems, networks, and applications. Efficiency is improved by implementing logs and maintenance within zones. This task is accomplished by limiting the scope of the logs and, as a result, making maintenance less labor intensive, allowing multiple groups to focus just on their areas of responsibility.
Organizations must establish security controls to protect networks and infrastructures from unauthorized access and to safeguard information confidentiality and integrity. To ensure the integrity of networks, privately owned devices (for example, home computers) must not connect to enterprise networks unless detailed risk assessments are conducted to determine all security impacts and any additional security measures are in place to ensure the highest level of information security. Assessment must include all aspects of information security (for example, authentication measures, access controls, virus and malicious code protection, physical and personnel security). Establishing such measures and controls and performing such assessments within identified security zones helps to streamline the security process and limit the scope to only the area of the network for the management process.
Methods for exchanging information between an organization and business partners or third parties must be consistent and secure to meet legal and regulatory requirements. When network information is exchanged, it must be protected according to the level of classification. By creating security zones, an organization can more easily and efficiently manage the information within each zone as well as ensure each piece of information is appropriately classified. This setup then enables the information to be shared with third parties and business partners in the most appropriate way. For example, a zone can be established to exchange information with a high-risk third party so that the accompanying risks to rest of the network will be minimized as much as possible.
Formal processes must be in place to report security incidents and weaknesses as quickly as possible to appropriate positions, such as the corporate information security officer and/or corporate privacy officer. Dividing the enterprise network into security zones can allow for more efficient and timely monitoring of security incidents on a zone-by-zone basis and report to the most appropriate position based upon the zone within which the incident occurs.
Physical and environmental controls are also an important component to protecting enterprise information and systems. Without sufficient physical and environmental controls, you could experience a complete network failure. To help prevent network interruptions and inappropriate access to information resources you need to:
Environmental failures and physical events can cause considerable damage to information systems and business processing. Such threats can be natural or man-made. Mitigating the risks from these threats can be approached using zoning techniques in the same way that zones can be established within the network.
Implementing a strategy for physical protection is an important step to include within any effective enterprise information security plan. Zoning can be used to establish efficient and effective physical information protection.
Traditionally, organizations considered zoning to basically consist of installing fire alarms and fire suppression systems within each room. However, physical zoning to complement network security zoning efforts goes beyond this. Physical zoning can facilitate the simplest to the most detailed security model. The components of security devices implemented within each identified security zone may include:
Physical security zones can be based upon similar requirements as network-based zones. For example, physical zones can be role-based. In such a plan, users are assigned to access physical areas, systems, data, and other components based upon their job responsibilities and assigned roles. Figure 4.2 provides a basic example of using role-based physical security zoning for access control. In this example, the zones are labeled 1 through 7. Each zone has unique threats, risks, and vulnerabilities. Zone 1 is the least restrictive, being open to the public. Zones 5 and 6 are the most restrictive, containing the operations equipment and all the customer data. Everyone within the building has access to the areas within Zone 7. Only authorized personnel have access to Zone 3, the executive office. Zone 4 is restricted to only personnel performing test and development activities.
Figure 4.2: Example of physical security zoning.
Conduct a risk analysis to understand the physical threats, vulnerabilities, and risks, then use this information to build a risk mitigation strategy that includes identification for where physical security zones are needed. Once you have decided where your physical security zones should be located and how restrictive access to each should be, you then need to determine the controls to support the security zones.
The more restrictive the zone, the stronger and more reliable the controls should be.
By combining physical zones with network security zones, organizations can create an effective centrally managed defense to protect information and assets.
Business leaders can translate the broad concept of using security zones as discussed within enterprises at a very high level by:
The following sections explore at a high level the concepts of creating and implementing security zones to help guide enterprise leaders in overseeing such activities within their organizations.
Create a list of critical enterprise information and network assets, then document the ones essential to the reliable and necessary operation of the enterprise. Follow a documented, riskbased process for your identification methodology. Establish risk-based criteria that correspond to the unique environment, requirements, services, and products of your organization.
Most organizations have a control center and backup control center that are considered critical enterprise assets.
The computers and networks that provide the data and information to drive decisions made in the control center will typically be considered critical assets. Some organizations will have a very long list of critical assets. They will often be based within business units and critical corporate activity centers.
Identifying critical information and network assets will require the participation of personnel from all facets of the organization.
The following list highlights examples of critical information and network assets:
As of September 2005, the North American Electric Reliability Council (NERC) is currently drafting wide-ranging cyber-security guidelines to replace their temporary precautions adopted as NERC Cyber Security Standard 1200 in 2003, renamed NERC Cyber Security Standard 1300 in 2004. This new set of guidelines, NERC CIP, will be finalized in Spring 2006 and establishes standards in eight key areas:
Creating an inventory and corresponding classification of critical enterprise information and network assets is a critical step in creating security zones. It is also an activity that should have been done already to facilitate business continuity processes and comply with various regulatory requirements for identifying and protecting certain types of information.
Typically, such an inventory and classification of criticality is created during a business impact analysis during the creation or update of a business continuity plan.
The types of resources typically included within a business impact analysis include:
The 2004 TechRepublic State of IT Asset Management study of 497 organizational responses revealed:
Asset inventory and categorization will also help auditors and compliance regulators to better understand how the security threats on a low-priority system or zone are different and require different levels of security than the security threats on a high-priority system or zone. Not only will such an inventory and categorization improve the reviewers' understanding, it will also help to reduce the time necessary for the review, which will then result in a positive impact on your organization's bottom-line.
The information within a zoned area of the enterprise network for development systems will likely be lower priority than the customer information located within the zoned area of the enterprise network for production ecommerce systems.
Divide the data center into areas that are logically separated from one another based upon their associated critical assets and revenue areas to contain an attack at minimal impact to the overall business. Zones can support individual applications or application tiers, groups of servers, database servers, Web servers, e-commerce zones, and storage resources.
Examples of security zones created through grouping assets include limiting user access to Web servers, such as through the use of a Web front-end, protecting the application and database tiers from accidental or malicious damage. In addition, communication between applications can be limited to specific traffic required for application integration, data warehousing, and Web services.
Security zones can provide logical separation of each application's storage environment across a scalable, consolidated storage network. To achieve this setup efficiently, firewalls can be integrated and virtualized to provide secure connectivity between application and server environments
Segregate business-critical development and production facilities to reduce the risk of accidental changes or unauthorized access to production software and business data. Development and testing activities can cause unintended changes to software and data sharing the same computing environment. Use zoning to manage these risks. When creating zones take into consideration that
The risks of using external service providers, connecting to business partners, and otherwise sharing information and network resources with third parties should be assessed and documented. Connecting to or using third parties for managing or processing computer or network facilities increases the risks to an organization's information security. Just look at the number of incidents that have occurred through third parties in just the past 12 months, as described in previous chapters.
Appropriate information security measures, both technical and non-technical, should be incorporated into contracts before a third party connects to an organization's network or starts processing an organization's information. Use this contract information to create security zones for the business partners that address the unique risks presented by each.
Many organizations find after identifying critical information and network assets that it is most advantageous and efficient for security management to create security zones based upon business unit services and products.
After the security zones are identified, a road map needs to be created to ensure the efficient and effective implementation of the security zones into the enterprise, based upon criticality, over a reasonable period of time. Integrate the security zones into the existing enterprise network. Define the access and security requirements for every service so that the network can be divided into security zones with clearly identified security and access levels.
Work with each security zone separately. It is likely each zone will have a different security model necessary to address the identified risks. Security controls should be implemented so that security breaches and incidents can be confined to a particular zone or part of the network as much as possible.
Implement security zones in such a way so that they will limit the damage a security breach or incident has on the entire network.
In addition, security zones should take into consideration the network security architecture defining common security services that are implemented across the network. The following list highlights typical services:
Recognize the optimal varying levels of control within the security zones to identify clients and zone users, protect your zone perimeters as well as network perimeters, protect confidential information from eavesdropping or tampering during transmission, and ensure the integrity of your system and applications. Such decision making will involve not only IT staff but also information security, business unit contacts, and internal audit. After you have made the difficult decisions for the types of security to deploy within the zones based upon the risks within each of the zones, deploy the security architecture in phases, addressing the most critical zone areas first.
The road map for establishing and maintaining security zones will likely include a diagram representing the zones. For example, Figure 4.1 from earlier in this chapter may now look like Figure 4.3 after the decisions have been made about where to establish the zones.
Figure 4.3: Example of zoning within the network.
Each of the identified security zones need to have controls and protections implemented based upon the risks specific to that zone. It is likely all zones will have similar protections, such as virus control systems. However, it is also likely that zones will have unique controls that no other zones may have, such as a zone with a remote access server (RAS) or a zone that houses a credit card processing system. There will probably be zones that have firewalls protecting them, and other zones that have no firewalls. Steps to building a security zone include:
The key to successful zoning is thoughtful analysis of the risks within and to each zone, then the application of the most appropriate security controls for each zone's risk.
By implementing security zones, an organization will shift reliance from perimeter security to an asset-centric model that protects the enterprise assets from the most likely threats with the most efficient measures. Security zones allow assets of greater organizational criticality and value to be held to higher security standards and protected by additional layers of defense. If possible, they should be compartmentalized, or zoned, into their own networks and segments. By doing so, the perimeter will be considered an asset.
Do not stop at just zoning alone, though. Zoning is just one of the layers to use within an organizational security strategy. To successfully defend against the multiple and varied types of threats and address the numerous and diverse vulnerabilities, organizations need to create and implement a layered security strategy. Perimeters, infrastructure devices, OSs, applications, and data must be assessed and appropriately fortified to mitigate the risks that threaten your organization. Use multiple complementary approaches for security enforcement and defense at various points in the network, which will remove single points of security failure.
Chapter 5 will discuss the need for a layered security strategy in detail. For now, the following list outlines at a high level a layered security strategy, including security zones:
Organizations should use security zones to more effectively and efficiently help protect valuable information and network resources against the multitude of threats within the perimeter as well as the increasing amount of threats from outside. The following checklist identifies considerations for security zone implementation: